Plataforma
nodejs
Componente
terriajs-server
Corregido en
4.0.4
4.0.3
CVE-2026-27818 is a validation vulnerability in terrajs-server that allows attackers to bypass proxy restrictions. This occurs because the hostname validation only checks if a hostname ends with an allowed domain, enabling the proxying of unauthorized domains. Versions of terrajs-server up to 4.0.2 are affected, and a fix is available in version 4.0.3.
An attacker can exploit this vulnerability by registering a malicious domain (e.g., maliciousexample.com) and then proxying content through the vulnerable terrajs-server instance. Because the validation only checks for a suffix match, maliciousexample.com would be incorrectly considered allowed if example.com is in the proxyableDomains configuration. This bypasses intended proxy restrictions, potentially leading to data exposure, malicious content delivery, and unauthorized access to internal resources. The blast radius extends to any users or systems relying on terrajs-server for proxying, particularly those with sensitive data or critical services.
This vulnerability was publicly disclosed on 2026-02-26. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that a simple POC could be developed relatively easily.
Organizations using terrajs-server for proxying web traffic, particularly those with sensitive data or critical services, are at risk. Shared hosting environments where multiple users share a terrajs-server instance are also particularly vulnerable, as a compromise of one user's account could potentially affect others.
• nodejs / server:
ps aux | grep terrajs-server• nodejs / server:
find / -name "proxyableDomains" -type f• generic web:
Check terrajs-server logs for requests to unexpected or unauthorized domains. Look for patterns indicating proxy bypass attempts.
• generic web:
Review terrajs-server configuration files for overly permissive proxyableDomains settings.
disclosure
Estado del Exploit
EPSS
0.10% (26% percentil)
CISA SSVC
The primary mitigation is to upgrade terrajs-server to version 4.0.3 or later, which includes the corrected validation logic. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to unexpected or unauthorized domains. Additionally, carefully review and restrict the proxyableDomains configuration to only include explicitly trusted domains. Regularly audit proxy configurations to ensure they align with security policies. After upgrading, confirm the fix by attempting to proxy a domain not explicitly listed in proxyableDomains and verifying that the request is blocked.
Actualice TerriaJS-Server a la versión 4.0.3 o superior. Esta versión corrige la vulnerabilidad de omisión de validación de dominio en la lista de dominios permitidos del proxy. La actualización se puede realizar a través del gestor de paquetes npm.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-27818 is a vulnerability in terrajs-server where a validation bug allows attackers to bypass proxy restrictions by proxying unauthorized domains.
If you are using terrajs-server versions up to 4.0.2, you are potentially affected by this vulnerability.
Upgrade terrajs-server to version 4.0.3 or later to address the vulnerability. Consider WAF rules as a temporary mitigation.
There is currently no indication of active exploitation of CVE-2026-27818.
Refer to the terrajs-server project's release notes or security advisories for details on this vulnerability and the fix.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.